Information processing device that verifies a computer program, and gaming machine

ABSTRACT

An apparatus for processing information includes a memory device and a controller. The controller is configured to: access to a memory area in the memory device in which information related to a location of data including a computer program is stored; store contents of the memory area as a first inspection code into a first memory area of the memory device; at predetermined timing, access to a memory area in the memory device in which latest information is stored; store contents of the memory area as a second inspection code into a second memory area; compare the first and the second inspection codes; if the second inspection code does not agree with the first inspection code, output an error signal indicating inconsistency between the first and the second inspection codes; and if the second inspection code agrees with the first inspection code, perform verification of the computer program.

This application is based on and claims the benefit of priority fromJapanese Patent Application No. 2007-198763, filed on 31 Jul. 2007, thecontent of which is incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to an information processing device thatverifies as needed a computer program stored in a memory to restrict theoperation of the computer program for a case in which the computerprogram is found to be tampered with. Specifically, the presentinvention relates to a gaming machine that detects tampering of contentsof the memory, which has been made while a gaming program is inoperation, so as to restrict the operation of the gaming program.

2. Related Art

Conventionally, computer programs for verifying a gaming program of agaming machine have been known. These computer programs for the gamingmachine are written to describe processing for verifying a gamingprogram and a game system program (see Japanese Unexamined PatentApplication, First Publication No. 2007-125297).

In addition, a gaming machine is known by U.S. Patent ApplicationPublication No. 2006/0240888. A gaming machine includes: a card slot fora memory card storing gaming information; a gaming board including a ROMstoring a verification program for verifying the gaming information anda preliminary verification program for verifying the verificationprogram itself; and a motherboard including a RAM. The gaming machineverifies gaming information by the verification program that is storedin the RAM on the motherboard after the completion of the verificationperformed for the verification program by the preliminary verificationprogram.

In the conventional methods for verifying gaming machines, averification program executed by a CPU of a gaming machine scans theentire contents of a main memory, thus verifying the gaming machine. Theverification includes steps of: verifying consistency of contentsbetween an external memory and the main memory at a time of loading of acomputer program from the external memory to the main memory; andperforming continuous verification of the maintenance of the initialcontents of the computer program loaded to the main memory.

However, in recent operating systems a method called dynamic memoryallocation is adopted, in which a kernel, a basic portion of anoperating system, allocates a main memory having discontinuous addressesto a single program. Although, the method brings advantages that anumber of computer programs can be executed in parallel and in randomorder, it does not allow the main memory having continuous addresses tobe read and verified as the conventional method.

SUMMARY OF THE INVENTION

The present invention provides an information processing device that hasan operating system referencing a memory device by way of dynamic memoryallocation and which can verify a computer program using a verificationprogram operating as a part of a function of a kernel by referencing thecontents of the memory device where the computer program to be verifiedlies, thereby detecting damage and tampering of the contents of thememory device. In other words, the present invention provides theinformation processing device that can assure the computer program thatit is free of damage and tampering as long as it is present on thememory device.

In a first aspect of the present invention, an apparatus for processinginformation is provided, which includes a memory device and acontroller. The controller is configured to: access to a memory area inthe memory device in which information related to a location of dataincluding a computer program is stored; store contents of the memoryarea as a first inspection code into a first memory area of the memorydevice; at predetermined timing, access to a memory area in the memorydevice in which latest information related to the location of dataincluding the computer program is stored; store contents of the memoryarea as a second inspection code into a second memory area of the memorydevice; compare the first inspection code and the second inspectioncode; if the second inspection code does not agree with the firstinspection code, output an error signal indicating inconsistency betweenthe first inspection code and the second inspection code; and if thesecond inspection code agrees with the first inspection code, performverification of the computer program.

As described above, the memory device included in the apparatus forprocessing information is controlled according to dynamic memoryallocation. An operating system utilizing the dynamic memory allocationallows the apparatus for processing information to reference theinformation in the area of the memory device where the computer programto be verified lies so as to reference the contents of the computerprogram, even if discontinuous addresses are allocated for the computerprogram in the memory device. In other words, the apparatus according tothe present invention verifies the computer program lying in the memorydevice where addresses are discontinuously allocated, differing from aconventional technique that performs verification reading a memorydevice of continuous addresses.

The operating system is a basic program that enables the computerprogram to operate. A basic portion of the operating system is calledkernel, which performs administration such as resource control of asystem and control of interactions between hardware and a computerprogram. The computer program can use individual functions included inthe kernel that are provided as system calls. In an operating systemsupporting a multi-task environment, a kernel performs dynamic memoryallocation so as to control addresses used by each of a plurality ofcomputer programs on a page by page basis. Memory controlled on a pageby page basis is called virtual memory. The virtual memory possesses atheoretical address, which is defined separately from a physical addressthat is electronically presented on a computer address bus circuitry.

Using a system call provided by the kernel or operating as a built-inportion of the kernel, the verification program uses the function of thekernel of the operating system where the dynamic memory allocation isimplemented. The verification program, which can reference a table ofvirtual memory that stores the number of pages of virtual memory and amemory address corresponding to each page, can reference the contents ofa program to be verified that lies in the virtual memory.

An example of the operating system is Linux. Alternatively, it ispossible to adopt other systems such as Microsoft Windows (Registeredtrademark) and UNIX (Registered Trademark).

An example of building the verification program into a kernel is toactivate the verification program in a swapper function that isassociated with the initialization of variables in the kernel of a Linuxoperating system. Another example is to build the verification programinto an execve function that is one of system calls provided by a kernelof a Linux operating system. It should be noted that these examples donot limit the component of a kernel that activates the verificationprogram or into which the verification program is built.

The apparatus for processing information described above is required tocause the verification program to reference the table of virtual memoryindicating location of a program to be verified in the memory deviceeach time the verification program performs verification. The reason forthis is that the table of virtual memory is updated whenever need arisesby the kernel that allocates a plurality of computer programs to thememory device. In other words, the verification program references thelatest table of virtual memory that provides the location of the programto be verified in the memory device.

The controller described above is an integrated circuit that has thefollowing features: The controller includes terminals provided for anaddress bus, a data bus and an input/output permission logic etc., andbuilt-in components such as a calculation unit, a control unit and adecoder etc. The controller can process data and a set of instruction,which are received via the data bus, in predetermined order. Thecontroller can not only transmits necessary information and instructionto external components, but also receive information from the externalcomponents.

Different types of controllers may be adopted, such as a controller madeof one integrated circuit, a controller having a plurality ofinput/output functions so as to operate with peripheral chips, and anintegrated controller having built-in chips with additional functions.Examples of the controllers are peripheral chips such as QX677 and P35Of Intel Corporation; however the present invention is not limited tothese examples.

The inspection code described above may be a value representative of thecontents of the memory device where the computer program lies. It may bepossible to use a hush function that restricts a maximal memory by aresidual calculation so as to calculate a value of a predeterminednumber of bytes representative of the contents of the memory device. Inthis connection, “hush function” is a technical word for computers toindicate an operation to acquire a value representative of data or afunction to be used for obtaining the value.

Any type of outputting of an error signal by the controller describedabove may be adopted as long as it notifies a user of an occurrence ofthe error. The following are examples for this: The controller outputsinformation related to an error to a communication interface of theapparatus for processing information. The controller causes a displaydevice to display the information about the error. The controllerdelivers the error signal as logical output. The controller delivers theerror signal as logic for a specific address of an input/output port.The controller performs processing for rewriting a specific value in amemory area that the apparatus for processing information can reference.The controller performs processing for rewriting a specific value in amemory area that the operating system prepares. In addition, acombination between these examples described above may also be adopted.

In a second aspect of the present invention, an apparatus for processinginformation is provided, in which a verification program executed by thecontroller determines whether the second inspection code agrees with thefirst inspection code.

With the apparatus described above, the controller can select varioustypes of techniques to determine whether the contents agree between amemory area and the other memory area. One example of these techniquesis comparison of the contents between the memory areas. As an exemplarymethod applied to the comparison, it is possible to select anappropriate one such as: using instruction of comparison included in theset of instructions possessed by the controller; using a function ofcomparison included in service calls etc. provided by an operatingsystem; using a comparison function provided by a compiler that convertsa source code into an executable form; and using a comparison operatorprovided in the form of script language that operates on an operatingsystem. Another example is to adopt a technique to determine theconsistency based on the difference of contents between the two memoryareas, which are numerically treated.

In this way, the apparatus for processing information can assure thatthere is no damage or tampering in the program to be verified accordingto the consistency of contents between the two memory areas.

In a third aspect of the present invention, an apparatus for processinginformation is provided, in which the controller executes a verificationprogram that restricts the operation of the computer program.

As the restriction described above, it may be possible to use a programcontrol function possessed by an operating system so as to stop theoperation of the computer program in which damage or tampering has beenfound. Alternatively, it may be possible to restrict the access to anadministrator such that a user can not access to the memory area wherethe problematic computer program is found to lie.

In this way, the apparatus for processing information can prevent theproblematic program from adversely affecting the apparatus, particularlythe memory device.

In a fourth aspect of the present invention, an apparatus for processinginformation is provided, in which the controller executes a verificationprogram that restricts the operation of the apparatus.

As the restriction described above, it may be possible to inhibit aninput/output port from writing and reading by a computer programexecuted by the controller.

It may be possible for the computer program executed by the controllerto notify an operating system of execution of automatic shutdown, forexample, so as to shut down the apparatus for processing information.

In this way, the apparatus for processing information can prevent theproblematic program from adversely affecting the apparatus, particularlythe components that are electrically connected via a system bus.

In a fifth aspect of the present invention, an apparatus for processinginformation is provided, in which a Cyclic Redundancy Check is used forthe first inspection code and the second inspection code.

The CRC described above may have 16 bits wide, 32 bits wide, or otherwidths. Any generation algorithm is acceptable as long as it cancalculate a CRC value to be used for the verification of the computerprogram in the apparatus for processing information. In this connection,CRC represents a short for Cyclic Redundancy Check, which is a term ofcomputer technology related to a type of error code for detecting anerror during copying of data between storage media and transmission andreception of data via communication network.

Since the apparatus for processing information verifies the computerprogram according to the consistency of values having 32 bits wide, itis possible to decrease the load for the controller in terms of tasksrequired for verification, compared with a technique in which a wholeprogram lying over a plurality of memory areas is thoroughly verified.This results in a speed-up of verification. Particularly, even if theverification program is continued to periodically run in parallel with agaming program, it is possible to minimize the adverse restriction forthe performance of the gaming program.

In a sixth aspect of the present invention, an apparatus for processinginformation is provided, in which the controller determines thepredetermined timing with a verification program that uses a timingsignal generated independently of the computer program to be verified.

It may be possible to select an appropriate one from various types oftechniques in which the verification program uses the timing signalgenerated independently of the computer program to be verified. Oneexample is to use a Real Time Clock (RTC) built in the apparatus forprocessing information. Another example is to connect a timinggenerating circuit with a system bus of the apparatus for processinginformation. Still another example is to use a time function that isprovided by the compiler environment that converts a source code into anexecutable form.

In this way, the apparatus for processing information can notify thecontroller of an occurrence of need for periodic verification even ifthe controller performs processing other than that of verificationprogram. This allows the verification of the computer program in theapparatus for processing information to be continued periodically.

In a seventh aspect of the present invention, an apparatus forprocessing information is provided, in which the apparatus forprocessing information operates in a gaming machine that includes a gamecontroller for controlling a game with a gaming program and a displaydevice for displaying information related to the game, and the computerprogram verified by the apparatus for processing information is thegaming program.

The apparatus for processing information described above verifies thecomputer program lying in the memory device in an operating system thatperforming dynamic memory allocation.

In this way, the gaming machine can continue to periodically assure thatthe gaming program is not damaged or tampered with at a time of startupand throughout a period of operation.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow chart showing an information processing deviceaccording to the present invention that verifies a computer program atpredetermined timing;

FIG. 2 is a block diagram showing a setup of the information processingdevice according to the present invention;

FIG. 3 is a perspective view showing an example of an appearance of theinformation processing device according to the present invention;

FIG. 4 is a diagram illustrating a table that shows an example of alinear list for indicating the addresses of a main memory to which theinformation processing device according to the present invention refers;

FIG. 5 is a flow chart showing error processing of the informationprocessing device according to the present invention;

FIG. 6 is a flow chart showing the verification of a computer programperformed by the information processing device according to the presentinvention after a startup from the initial state;

FIG. 7 is a block diagram showing a setup of a gaming machine accordingto the present invention; and

FIG. 8 is a perspective view showing an example of an appearance of thegaming machine according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

A description is provided below regarding embodiments of the presentinvention. It should be noted that the scope of the present invention isnot limited to the following embodiments.

First Embodiment

According to a first embodiment of the present invention, an informationprocessing device operates as follows: The information processing deviceretrieves location information of a main memory in which a computerprogram is stored from a virtual memory table, and references contentsof the main memory corresponding to the location information, convertingthe contents into an inspection code to be stored in an array.Periodically referencing contents of the main memory based oninformation on the latest virtual memory table, the informationprocessing device converts the contents into an inspection code so as todetermine whether the inspection code agrees with that stored in thearray. If they do not agree with each other, the information processingdevice does not allow the computer program to be executed. If they agreewith each other, the information processing device verifies the computerprogram.

Second Embodiment

In a second embodiment of the present invention, a gaming machine thatcontrols a game by a computer program and displays information relatingto the game includes an information processing device so as to verifythe computer program for the game at a startup and at regular intervalscontinuously.

Third Embodiment

A third embodiment exemplifies an information processing device thatverifies a computer program at predetermined timing.

FIG. 1 is a flow chart showing the information processing device thatverifies the computer program at predetermined timing.

The entire flow shown in FIG. 1 is called from a swapper function (notshown) constituting a kernel of the Linux operating system, or anotherfunction constituting the kernel called from the swapper function. Forexample, the flow is called from an execve function (not shown) includedin system calls. Therefore, a verification program for verifying thecomputer program included in the information processing device can usefunctions of the kernel and can reference information related to thelocation of a main memory in which the computer program is stored, towhich usage area is allocated in a virtual memory according to dynamicmemory allocation by the kernel. In other words, the verificationprogram can reference contents of the computer program that lies in themain memory.

In FIG. 1, an information processing device 1 permits an interruption toa controller 10 (Step S1). Subsequently, the information processingdevice 1 obtains an initial program table, i.e. a table in a linear listformat of all the programs in operation, immediately after a startup ofa verification program, and calculates a CRC value of memory contentsindicated by each program, storing the CRC value in an array A (StepS2). The information processing device 1 determines whether a programhas been added (Step S3). If any, the information processing device 1retrieves a virtual memory table of the added program and calculates aCRC value of memory contents indicated by the added program, storing inaddition the CRC value in the array A (Step S4). If there is no additionof programs in Step S3, the information processing device 1 determineswhether an RTC interruption has occurred (Step S5). If an RTC interrupthas occurred, the information processing device 1 advances theprocessing from Step S5 to the next Step S6. That is, the informationprocessing device 1 obtains a virtual memory table used by a programlying in a main memory 13 (Step S6). Subsequently, the informationprocessing device 1 determines whether an executable flag of the programincluded in the table is true or false (Step S7). If the flag is true,the information processing device 1 calculates a CRC value of memorycontents indicated by the virtual memory table, and stores the CRC valuein an array B (Step S8). Subsequently, the information processing device1 determines whether the CRC value stored in the array A that iscalculated for the program to be verified agrees with the CRC valuestored in the array B (Step S9). If the two values agree with eachother, the information processing device 1 determines whether it hasfinished verification for the last memory area for the computer program(Step S11). If the verification is finished up to the last memory area,the information processing device 1 retrieves the table information forthe next program from the table obtained in Step S2 (Step S12).Subsequently, the information processing device 1 determines whether allof the programs have been verified or not (Step S13).

If the executable flag is false in Step S7, the information processingdevice 1 performs Step S11. If the value stored in the array A is notconsistent with the value stored in the array B in Step S9, theinformation processing device 1 performs error processing (Step S10). Ifthe verification is not finished up to the last memory for the computerprogram in Step S11, the information processing device 1 returns theprocessing to Step S7. If all the programs are not verified in Step S13,the information processing device 1 returns the processing to Step S6.In contrast, if all the programs are verified in Step S13, theinformation processing device 1 returns the processing to Step S3. If anRTC interruption has not occurred in Step S5, the information processingdevice 1 returns the processing to Step S3.

It is when the consistency is verified in Step S9 and the determinationis true (YES) in Step S13 that all the programs are considered to beverified. The result of the verification can be saved appropriately, forexample, by a program for saving the result to an external storagedevice 15 shown in FIG. 2.

Step S5 can alternatively be replaced by a step detecting a signalreceived from an external device connected via a communication interface22 shown in FIG. 2 (described later). Accordingly, it is possible toselect one of an RTC interruption and the detection of a signal.

The verification program shown in FIG. 1 waits for an RTC interruptionto occur in Step S5, while reiterating the loop from Steps S3 to S5.

Since the processing returns from Step S5 and Step S13 to Step S3, whichlies subsequent to Step S2, the first CRC value stored in the array A,which is obtained in Step S2, can be saved throughout the operation ofthe verification program.

The information processing device 1 of the present invention continuesto verify whether the array A agrees with the array B for all computerprograms on the main memory 13. The array A includes an initial CRCvalue that is calculated for each computer program, and the array Bincludes a CRC value, which is continued to calculate repeatedly foreach computer program. In such an arrangement, the informationprocessing device 1 can continue to periodically detect damage andtampering of each computer program to be verified, as long as eachcomputer program is present in the main memory 13, thus continuingverification of each computer program. Therefore, the informationprocessing device 1, can assure that the computer program to be verifiedhas not been damaged or tampered with while the verification program isin operation.

Since a real-time clock (RTC) 21, which outputs independent timeinformation, can be used to determine the timing included in theverification program to start the determination of consistency of CRCvalues, the information processing device 1 allows a computer program tobe periodically assured.

FIG. 2 is a block diagram illustrating a setup of an informationprocessing device of the present invention. An information processingdevice 1 includes a power unit 19 that provides electricity required forelectrical devices installed therein. A controller 10, installed in theinformation processing device 1, includes a CMOSRAM 11 storing editableinformation and the like concerning initial setting, which is read bythe information processing device 1 after a power-on or a reset, aBIOSROM 12 storing information concerning boot operation such as basicinput/output, a main memory 13, and a clock generation circuit 14.Furthermore, the controller 10 is connected to an external storagedevice 15, an extension interface 16, a control panel 18, an RTC 21, acommunication interface 22, an image control circuit 23, and a soundcontrol circuit 25 via a system bus 27. An extension board 17, which canadd functions to the information processing device 1, can be connectedto the extension interface 16 as needed.

The main memory 13 operates as main storage of the controller 10 via amemory bus 30. Unless otherwise stated, the term “memory” designates themain memory 13. The RTC 21 is a real-time clock circuit including abattery 28 to continue operation even if the power unit 19 is suspended.Accordingly, the RTC 21 operates asynchronously to the operation of thecontroller 10 and outputs time information. The clock generation circuit14 is a circuit generating an operation clock of the controller 10. Theclock generation circuit 14 may include a frequency dividing circuit.The extension board 17 includes an additional gaming board and the likewhich use functions of the controller 10 via the extension interface 16.An image displaying device 24 is connected to the image control circuit23. A speaker 26 is connected to the sound control circuit 25. The soundcontrol circuit 25 is a circuit generating a beeping sound to notify auser of an error and the like occurring in the operation of a computerprogram concerning a boot operation stored in the BIOSROM 12, a circuitincreasing and decreasing the amplitude by converting digital sound datainto an analog sound signal, a circuit of like kind, or a combination ofthe above. There is flexibility for selection of type of the speaker 26.

After the information processing device 1 starts operation from aninitial state, i.e. starts up after a power-on or a reset, thecontroller 10 checks the connection with the external storage device 15and the main memory 13, boots an operating system (not shown) stored inthe external storage device 15, and copies a file from the externalstorage device 15 to the main memory 13 according to the contents of theBIOSROM 12 defining basic input/output.

The operating system is a basic program that allows components includedin the information processing device 1, such as the controller 10, themain memory 13, the external storage device 15 and the like, to operatein a multi-task environment. The operating system performs dynamicmemory allocation so as to control addresses of a memory on a page bypage basis, which each of a plurality of computer programs on the mainmemory 13 uses. Furthermore, the operating system provides each of thecomputer programs with information such as a program ID, a user ID, anexecutable flag, a virtual memory page number, a start page number ofvirtual memory, and the like, in a standard format to administer thecomputer programs.

A preferable example of the standard format is a linear list, which isone type of data structure that is used for representing aligned data.

The communication interface 22 has a function to communicate withexternal components which can send/receive information to/from theinformation processing device 1, using a signal of a predeterminedformat. The signal of the predetermined format includes: a signaldefined in International Telecommunication Union TelecommunicationStandardization Sector (ITU-T) Recommendations; a signal conforming tothe Ethernet (Registered Trademark) standard using twisted pair cablessuch as 100 Base-T; a signal conforming to other Ethernet standards; asignal conforming to Bluetooth standard; a signal using radio waves,infrared rays or light energy for communication; any signal conformingto the abovementioned standards; and a combination of the above.

The communication interface 22 can receive a start signal so as toactivate a verification program of the present invention atpredetermined timing, which is available from the programs executed bythe controller 10.

FIG. 3 is a perspective view showing an example of an appearance of theinformation processing device 1 of the present invention. Theinformation processing device 1 has a cabinet 42, which has the imagedisplaying device 24, the control panel 18 and the speaker 26 on a frontface thereof. The information processing device 1 accepts operations bya user through the control panel 18, and displays necessary informationand the like on the image displaying device 24. If damage, tampering,and the like are detected in a computer program to be verified, theinformation processing device 1 may also display information related toresults of detection on the image displaying device 24, or output asound signal with the speaker 26 for notifying a user of an occurrenceof an error.

The information processing device 1 of the present invention can be apart of a gaming machine that includes means for performing a gameoperation, means for controlling a game, and means for displaying visualcontents related to the game. In addition, the information processingdevice 1 can provide a gaming service in which the operation by a userand a display of images are accompanied by sound output from the speaker26.

The information processing device 1 for verifying computer programs canbe included in other devices in addition to the gaming machine describedabove. The information processing device 1 of the present invention canbe included in, for example, an automatic teller machine, an automateddispenser of valuable papers, an automated voucher dispenser, and thelike.

A timing signal generated by the RTC 21 shown in FIG. 2 is preferablyused to determine the timing at which the information processing device1 starts verifying a computer program to be verified. Alternatively, alogic delivered by a computer program that processes the timing signalgenerated by the RTC 21, a signal received from another informationprocessing device connected to the information processing device 1 viathe communication interface 22, a combination of the above, or a logicof a combination of the above, can be used.

FIG. 4 is a table showing an example of a linear list for indicating theaddress of the main memory 13 to which the information processing device1 refers. A linear list is generated for each computer program. FIG. 4shows lists generated for 3 computer programs; however, the number oflists is not limited thereto, but the number of lists corresponding tothat of computer programs may be prepared. For example, a list ofprograms for a program ID-1 in a column T1 includes, a program name T2,a user name T3, and an executable flag T4. A page number T5 of a virtualmemory in the list shows that the program ID-1 uses N pages of virtualmemory. Additionally, an address of the first page of the virtual memoryT6 and an address of the N-th page of the virtual memory T7 and the likeare included in the list. A list is similarly generated for programshaving other program IDs.

A memory address defined on a page by page basis in the linear list isgenerated according to a memory management method of an operating systemthat performs dynamic memory allocation. Therefore, in the operatingsystem to which the dynamic memory allocation is applied, it is possibleto find an address of a virtual memory corresponding to a particularprogram by referencing the linear list.

FIG. 5 is a flow chart showing error processing in the verificationillustrated in FIG. 1. In the error processing, the informationprocessing device 1 shuts down a computer program in which an initialCRC value does not agree with a CRC value at a time of verification(Step S21), notifies the operating system of the existence of theproblematic computer program (Step S22), and outputs an error signal(Step S23). Subsequently, the information processing device 1 accessesto a database related to information about computer programs that willbe harmful if they stay in the main memory 13 so as to determine whetherit is necessary to immediately shut down the information processingdevice 1 (Step S24). If the information processing device 1 does notdetermine that it is necessary, it terminates the error processing.

If the information processing device 1 determines that it is necessaryto shut down the information processing device 1 in Step S24, it causesthe external storage device 15 to store operating information of theinformation processing device 1 (Step 25), notifying the operatingsystem to shut down the information processing device 1 (Step S26).

Step S22 is a step in which the controller 10 included in theinformation processing device 1, shown as the third aspect of thepresent invention, executes a verification program that restrictsoperation of the computer program. Step S26 is a step in which thecontroller 10 included in the information processing device 1, shown asthe fourth aspect of the present invention, executes a verificationprogram that restricts operation of the information processing device 1.

In Step S23 of outputting an error signal, the information processingdevice 1 may output an electric signal to the image control circuit 25shown in FIG. 2 and cause the image displaying device 24 to displaypredetermined text information, image information, and the like so as tonotify a user of damage or tampering of the computer program.Alternatively, in Step S23 of outputting an error signal, theinformation processing device 1 may output an electric signal asdescribed above and notify a user with a sound through the speaker 26.Furthermore, in Step S23 of outputting an error signal, the informationprocessing device 1 may alternatively notify a user via thecommunication interface 22 shown in FIG. 2, in a form of a signalavailable for information transmission, such as: a phase-modulatedelectric signal, a frequency-modulated electric wave, anamplitude-modulated optical signal, and the like.

Thus, the information processing device 1 can detect the damage andtampering of the computer program to be verified during a period ofcontinuously repeated verification, and restrict the operation of thecomputer program if there is damage or tampering. In addition, theinformation processing device 1 can restrict the operation of theinformation processing device 1 if there is damage or tampering in thecomputer program.

Fourth Embodiment

A fourth embodiment exemplifies an information processing device 1 thatverifies computer programs at a startup.

FIG. 6 is a flow chart showing the information processing device 1 ofthe present invention verifying the computer program after a startupfrom the initial state.

The information processing device 1 handles a file, which is a unit ofinformation processed by an operating system, and copies a plurality offiles from an external storage device 15 to a memory area X (Step S31).The file can be a computer program with an executable flag T4 being truein the table shown in FIG. 4, or a numerical value or a character withan executable flag T4 being false. Address information of the memoryarea X in a main memory 13 is administered by dynamic memory allocation.Subsequently, the information processing device 1 copies the same filesfrom the external storage device 15 to a memory area Y (Step S32). Thememory area Y is also under dynamic memory allocation. Subsequently, theinformation processing device 1 determines whether the contents of thememory area X and those of the memory area Y are consistent (Step S33).If they are consistent, the information processing device 1 terminatesthe processing. If they are not consistent in Step S33, the informationprocessing device 1 sets a logical value of the executable flag to false(Step S34), restricts input/output of the information processing device1 (Step S35), notifies the operating system of an occurrence ofinconsistent contents (Step S36), outputs a signal indicating an error(Step S37), and terminates the processing.

If the contents are consistent with each other in Step S33, it indicatesthat the files are verified at a startup of the information processingdevice 1. In other words, computer programs included in the files areverified. The results of the verification can be saved appropriately,for example, by a computer program that implements saving performed bythe external storage device 15 shown in FIG. 2.

Step S34 is a step in which the controller 10 included in theinformation processing device 1, shown as the third aspect of thepresent invention, executes a verification program that restrictsoperation of the computer program. Step S35 is a step in which thecontroller 10 included in the information processing device 1 executes averification program that restricts operation of the informationprocessing device 1.

Step S27 of outputting an error signal is similar to Step S23 shown inFIG. 5.

The information processing device 1 can verify the files, while thefiles are copied from the external storage device 15 to the main memory13. In other words, the information processing device 1 can assure atits startup that the files which will undergo verification have not beendamaged or tampered with.

Fifth Embodiment

A fifth embodiment exemplifies a verification program that is executedby a controller 10 included in an information processing device 1 andwhich verifies the consistency of contents between two memory areas.

The controller 10 shown in FIG. 2, as described in the third embodiment,references a main memory 13 by using a function of the kernel performingdynamic memory allocation in the information processing device 1.

As described in the fourth embodiment, the information processing device1 can verify, at a startup from the initial state, the files to beverified while the files are copied from an external storage device 15to the main memory 13. In addition, the information processing device 1can continue to periodically detect damage and tampering of a computerprogram using inspection codes, as long as the computer program ispresent in the main memory 13.

As described above, the verification is performed in the fourthembodiment by determining whether the two memory areas are consistent(Step S33 in FIG. 6), and in the third embodiment by determining whetherthe two inspection codes are consistent (Step S9 of FIG. 1).

The controller 10 can use: instruction sets included in the controller10 itself; service calls provided by an operating system; functionsprovided by a compiler which converts a source code of a computerprogram into an executable format; operators and the like provided byscripting languages running on an operating system; and a combination ofthe above. The controller 10 can, for example, determine the consistencyof contents between two memories by comparison. The controller 10 can,as another example, determine the consistency of contents between twomemories, using integer arithmetic instructions included in theinstruction sets of the controller 10. The controller 10 performs thedetermination as follows: dividing each of the two memory contents intoinformation units which can be calculated by the controller 10;calculating, for each division, the difference between the two memories;and determining whether the difference is 0 for each division.

The information processing device 1 of the present invention candetermine the consistency of contents between the two memories by acomputer program including a comparison instruction or a differencecalculation that is executed by the controller 10.

Furthermore, the verification program in the information processingdevice 1 uses functions of a kernel performing dynamic memoryallocation. An embedded program for judging the consistency of contentsbetween the two memories in the verification program allows theverification program to reference the contents of the main memory 13 onwhich the computer programs are present, which are administered bydynamic memory allocation.

The program for judging the consistency of the two memory contents canreference the main memory 13 on which inspection codes are present.Therefore, the determination of consistency of two inspection codes inStep S9 shown in FIG. 1 is included in the program for determining theconsistency of contents between the two memories.

Sixth Embodiment

A sixth embodiment exemplifies a verification program that is executedby a controller 10 included in an information processing device 1 andwhich restricts operation of computer programs that will undergoverification.

As described in the third embodiment and shown in Step S7 of FIG. 1, theverification program references the virtual memory table indicating thelocation of a computer program to be verified on a main memory 13 anddetermines whether the logical value of the executable flag is true. Ifthe computer program to be verified is executable during a period inwhich the computer program is present in the main memory 13, a logicalvalue of the executable flag thereof in the virtual memory table istrue. As shown in Step S21 of FIG. 5, the error processing performedduring the period includes shutting down a program having aninconsistent CRC value.

Furthermore, as described in the fourth embodiment and shown in Step S34of FIG. 6, the error processing performed for a case where damage,tampering and the like are detected in the computer program to beverified while files are copied from an external storage device 15 to amemory area, includes the following: setting a logical value of theexecutable flag to false for the inconsistent memory contents andprohibiting the computer program from operating.

Such shutting down and prohibiting is realized by the verificationprogram executed by the controller 10 referencing the virtual memory onwhich the computer program to be verified is present, by using kernelperforming dynamic memory allocation. In other words, the verificationprogram executed by the controller 10 included in the informationprocessing device 1 can restrict the operation of the computer programusing a program management function of the kernel, if damage ortampering is found for the computer program.

Seventh Embodiment

A seventh embodiment exemplifies a computer program that is executed bya controller 10 included in an information processing device 1 and whichrestricts operation of the information processing device 1.

As described in the third aspect of the present invention and shown inStep S25 of FIG. 5, the error processing for a case where damage,tampering and the like are detected in a computer program while thecomputer program is present in a main memory 13, includes notifying anoperating system of shutting down of the information processing device1.

Furthermore, as described in the fourth aspect of the present inventionand shown in Step S35 of FIG. 6, the error processing for a case wheredamage, tampering and the like are detected in a computer program whilefiles are copied from an external storage device 15 to a memory area,includes restricting input/output of the information processing device1. An example of the restriction is appropriate blocking of input from acontrol panel 18 shown in FIG. 2 so as not to allow the computer programto start up again, in which damage, tampering and the like are found.

A verification program executed by the controller 10 included in theinformation processing device 1 can notify shut-down and restrictinput/output, thus restricting the operation of the informationprocessing device 1 for a case where damage or tampering is found.

Eighth Embodiment

An eighth embodiment exemplifies an information processing device 1using CRC as an inspection code stored in first and second memory areas.

CRC is widely used as an error detection code in the transfer of datafrom a magnetic storage device to a memory device and the like. In theinformation processing device 1, a 32 bit-wide CRC value, for example,represents contents of a computer program to be verified. This indicatesthat a 32-bit numerical value represents contents of the computerprogram that uses several hundred bytes of a main memory 13. A methodfor performing continuously periodic verification for the computerprogram includes: referencing contents of the main memory 13 in whichthe computer program is present, using a virtual memory table indicatingthe location of the computer program on the main memory 13; calculatinga 32-bit numerical value; and determining whether the calculated 32-bitnumerical value agrees with the initial 32-bit numerical value. That is,the contents of the main memory 13 are verified through the stored32-bit numerical value in lieu of the data of several hundred bytes.

The information processing device 1 assures that the computer program tobe verified is not damaged or tampered with for a case where a CRC valuein a first verification and a CRC value in a continuously periodicverification are consistent.

The information processing device 1 of the present invention, whichperforms verification based on consistency of CRC values, can promptlyperform a continuously periodic verification of the computer program.The verification program of the information processing device 1 canverify the computer program without lowering processing capacity of thecontroller 10 even if the controller 10 executes other processing inaddition to the verification program.

Ninth Embodiment

A ninth embodiment exemplifies an information processing device 1 thatdetermines predetermined timing of verification by a computer programthat uses a timing signal generated independently of a computer programto be verified.

A preferable example of the timing signal is an output from an RTC 21.The RTC 21, a real-time clock circuit, which includes a battery 28 tocontinue operation even if a power unit 19 is suspended, operatesasynchronously to the operation of a controller 10 and outputs timeinformation.

An example of a typical RTC chip is a D-1302 manufactured by MaximIntegrated Products, Inc.; however, the RTC 21 is not limited theretoand any chip that operates asynchronously to an operation clock of thecontroller 10 can be appropriately selected for use in the informationprocessing device 1 of the present invention. Since the RTC 21 can be acircuit independent of the controller 10, the RTC 21 can be provided asan extension board connected via an extension interface 16 included inthe information processing device 1.

In Step S5 depicted in FIG. 1 as described in the third aspect of thepresent invention it is determined whether there is an interruption bythe RTC 21 and a verification program stands by while reiterating StepsS3 to S5. Since an RTC interruption occurs according to time informationthat is independently delivered by a circuit driven by a battery 28built in the RTC 21, it is asynchronous to the operation of theverification program standing by while performing the reiterationdescribed above.

For example, suppose that the RTC 21 outputs an hour-minute-second valuein an HH:MM:SS format and increments the value for SS once a second. Ifa value for SS is binary, the least significant bit shifts from true tofalse once every two seconds. With the introduction of theabovementioned technique to an interruption of the controller 10, it ispossible to generate a condition to advance the processing of theverification program from Step S5 to S6 at a frequency of once every twoseconds.

The abovementioned frequency can be flexibly designed by: a choice ofRTC; an additional logic circuit that can convert output data from anRTC; and a program that can convert output data from the RTC. Forexample, the abovementioned frequency can be controlled by a computationsuch as an integral multiplication of a value that is computed by afunction referencing output data delivered from the RTC 21. In thisconnection, the value is provided by a compiler that converts a computerprogram from a source code into an executable format.

The computer program to be verified can thus be periodically verified attiming asynchronous to the clock of the controller 10, by using acomputer program that stands by waiting for an RTC interruption.

When all programs have been verified, the verification program stands byagain by reiterating Steps S3 to S5, without terminating the processingin accordance with a branch of the flow as shown in Step S13 of FIG. 1.Therefore, the information processing device 1 of the present inventioncan continuously verify the computer programs.

As described above, the information processing device 1 can obtaintiming information for verifying a computer program from a circuit, afunction, and an external device, which have time informationindependent of the operation of the controller 10. In other words, whilethe controller 10 executes processing other than that for theverification program, the information processing device 1 can notify thecontroller 10 of the need for periodical verification. In such anarrangement, the information processing device 1 can verify the computerprograms regularly and continuously.

Step S5 may be replaced by a step that detects a signal received from anexternal device connected via a communication interface 22 shown in FIG.2. Alternatively, it may be possible to adopt a technique that allowsthe signal and the RTC interruption to be selectably used in Step S5.

Tenth Embodiment

A tenth embodiment exemplifies a setup of a gaming machine including:means for controlling a game by way of a computer program; means fordisplaying information relating to the game; and an informationprocessing device of the present invention. In this example, theinformation processing device verifies the computer program.

FIG. 7 is a diagram showing a configuration of the gaming machineincluding the information processing device of the present invention.Descriptions are not repeated for the same portions as those in FIG. 2.

A gaming machine 40 includes an information processing device 1 and maybe provided with a coin sensor 33 for detecting insertion of coins and acommunication port 34 for communicating with external devices. Thecommunication port 34 is connected to a communication interface 22 ofthe information processing device 1. A preferable example for thecommunication port 34 is a network connecting terminal with which atwist pair cable transmitting a 100 Base-T signal is compatible.

By using a computer program stored in an external storage device 15, thegaming machine 40 controls a game based on an input operation by a userfrom a control panel 18 and displays information related to the game byusing an image control circuit 23 and an image displaying device 24.Furthermore, the gaming machine 40 can output sound related to the gameusing a sound control circuit 25 and a speaker 26.

Using the information processing device 1 of the present invention, thegaming machine 40 shown in FIG. 7 can verify a computer program that isstored in the external storage device 15 and present in a main memory 13while it is used for the game.

As described in the fourth embodiment of the present invention, theinformation processing device 1 can assure that the computer program isnot damaged or tampered with at a startup when the computer program iscopied from the external storage device 15 to the main memory 13. Inaddition as shown in the third embodiment of the present invention, theinformation processing device 1 can continuously and periodically verifythe computer program at predetermined timing while the computer programis present on the main memory 13, thus assuring that the computerprogram is not damaged or tampered with.

It may be possible for an administrator of the gaming machine 40 tostart the verification of a gaming program by sending predeterminedinformation to the information processing device 1 via the communicationport 34.

If damage, tampering or the like is detected on the gaming program upona startup from the initial state, the gaming machine 40 can prohibit thegaming program from starting up by restricting the informationprocessing device 1 from executing input and output, as shown in StepS35 of FIG. 6 in the fourth embodiment the present invention. Forexample, a restriction of input and output is preferably performedthrough suspending the control panel 18 of FIG. 7 so as to prevent auser from instructing a startup of the gaming program.

If damage, tampering or the like is detected in the gaming program whilethe gaming program is present in the main memory 13, the execution ofthe gaming program can be terminated, as shown in Step S21 of FIG. 5 inthe third embodiment of the present invention. Furthermore, if thegaming program with the detected damage, tampering or the like is foundto be harmful according to an information database related to computerprograms that are harmful for the operation of the informationprocessing device 1 if they stay in the main memory 13, the informationprocessing device 1 can notify an operating system of a requiredshut-down. The information database is stored, for example, in theexternal storage device 15 shown in FIG. 2.

The gaming machine 40 can thus control the game and display the gameinformation by using the gaming program, which is verified by theinformation processing device 1. Therefore, while the gaming program iscopied from the external storage device 15 to the main memory 13, thegaming machine 40 can assure that the gaming program is not damaged ortampered with.

When the gaming machine 40 detects damage, tampering or the like for thegaming program by a periodically continued verification, it can restrictnot only the operation of the gaming program, but also the informationprocessing device 1 so as to restrict the operation of the gamingmachine 40. Therefore, the gaming machine 40 of the present inventioncan assure a gaming program continually and periodically, throughout theperiod in which the gaming program is present in the main memory 13.

Eleventh Embodiment

An eleventh embodiment exemplifies a gaming machine including: means forcontrolling a game by way of a computer program; means for displayinginformation related to the game; and an information processing device ofthe present invention. In this example, the information processingdevice inspects the computer program.

FIG. 8 is a perspective view showing an example of the gaming machineaccording to an embodiment of the present invention, having the setupillustrated in FIG. 7. A gaming machine 40 according to the presentembodiment is a slot machine. It should be noted that the gaming machine40 is not restricted to a slot machine. For example, the gaming machine40 may be a gaming machine with a single game such as a video slotmachine, video card gaming machine, etc. In addition, the gaming machine40 may be a so-called mass gaming machine (multi-terminal gamingmachine), such as a horse racing gaming machine, a bingo gaming machine,a lottery gaming machine, etc., which requires a predetermined period oftime before a display of the game results.

With the gaming machine 40, a player plays a game using coins or bills,or equivalent electronic value information. It should be noted that thecredits used in the present invention are not particularly restricted.Examples of credits include medals, tokens, and electronic money.

The gaming machine 40 shown in FIG. 8 includes a cabinet 42. Three reels54 (54L, 54C, and 54R) are rotatably placed inside the cabinet 42. Asymbol sequence including 22 patterns (referred to as “symbols”hereinafter) is depicted on the outer face of each reel 54.

A lower image display panel 56 is provided in front of each reel 54. Thelower image display panel 56 includes a transparent liquid crystalpanel, which displays various kinds of information with respect to thegame or images for providing visual effects in the game. The lower imagedisplay panel 56 serves as a device for displaying information accordingto the present invention. The lower image display panel 56 includes acredit amount display unit 71 and a payout amount display unit 72. Thecredit amount display unit 71 displays the number of coins inserted ascredits in the form of an image. When a combination of symbols arrangedon a pay line matches a predetermined combination, the payout amountdisplay unit 72 displays an image of the number of coins to be paid out.

The lower image display panel 56 includes three display windows 55 (55L,55C, and 55R) through which three symbols depicted on the outer face ofeach reel 54 are displayed. The lower image display panel 56 has asingle pay line L that extends across the three display windows 55 alongthe horizontal direction. The pay line determines a winning combinationof symbols. When the combination of symbols arranged along the pay linematches a predetermined combination, a predetermined number of coins arepaid out according to the combination and the number of coins inserted(BET amount).

It should be noted that an arrangement may be made according to thepresent invention in which multiple pay lines are formed such that eachline extends across the three display windows 55 in the horizontaldirection or in oblique directions. With such an arrangement, the numberof active pay lines is determined according to the number of coinsinserted. When the combination of symbols arranged along any one of theactive pay lines matches a predetermined combination, a predeterminednumber of coins are paid out according to the combination.

Furthermore, a touch panel (not shown) is provided in front of the lowerimage display panel 56, which allows the player to input various kindsof instructions.

Units provided below the lower image display panel 56 include: a controlpanel 18 including multiple buttons 63 through 67, which allow theplayer to input instructions for advancing the game; a coin slot 61through which coins are inserted into the cabinet 42; and a billvalidator 62.

The control panel 18 includes the spin button 63, the change button 64,the cash out button 65, the 1-BET button 66, and the maximum BET button67. The spin button 63 allows the player to input an instruction tostart rotation of the reels 54. The change button 64 is used to call astaff of an amusement facility so as to have money changing. The cashout button 65 allows the player to input an instruction to discharge thecoins stored as the credits to a coin tray 58.

The 1-BET button 66 allows the player to input an instruction to bet asingle coin on the game. The maximum BET button 67 allows the player toinput an instruction to bet, from the coins stored as the credits, themaximum number of coins (in the present embodiment, 50) that the playercan bet on a single game.

It should be noted that in the present invention, the phrase “creditsare inserted” indicates that the credits are spent. Examples ofsituations in which credits are spent include: a situation in which thecredits are bet on the game; and a situation in which the credits arespent on other operations such as switching the game mode, as describedlater. For example, suppose a situation in which the coins inserted intothe coin slot 61 are directly bet on the game. With such a situation,the insertion of the coins into the coin slot 61 corresponds to theinsertion of credits. On the other hand, suppose a situation in whichthe coins inserted into the coin slot 61 are temporarily stored ascredits, and upon the player operating the 1-BET button 66 or themaximum BET button 67, the coins stored as the credits are bet on thegame. With such a situation, using the coins stored as credits forbetting on the game corresponds to the insertion of credits.

The bill validator 62 whether a bill is genuine, and stores the billthus determined to be genuine in the cabinet 42.

An upper image display panel 73 is disposed in the front face of thecabinet 42. The upper image display panel 73 includes a liquid crystalpanel which displays images for visual effects, images for introducingthe game, and images for explaining the rules of the game. With thepresent embodiment, the upper image display panel 73 serves as a devicefor displaying information according to the present invention, in thesame way as the lower image display panel 56. Alternatively, either thelower image display panel 56 or the upper image display panel 73 mayserve as the device for displaying information.

The cabinet 42 has a speaker 26. A card reader 76, a data indicator 77,and a keypad 78 are provided below the lower image display panel 56.

The card reader 76 reads out data from a smart card, and writes data tothe smart card. The smart card is a card possessed by a player thatstores data for identifying the player, and data related to the historyof the games played by the player. In addition, the smart card may storedata that corresponds to coins, bills, or credits. Moreover, a magneticstripe card may be employed instead of the smart card. The dataindicator 77 includes a fluorescent display or the like for displayingthe data read out via the card reader 76 or the data input by the playervia the keypad 78.

The gaming machine 40 of the present invention, an embodiment of whichis shown in FIG. 8, controls the game using a computer program based oninput from the spin button 63 and the like, and displays informationrelated to the game on the display window 55, the upper image displaypanel 73 and the like. The gaming machine 40 can continue toperiodically assure that the computer program is not damaged, tamperedwith or the like, at a startup and throughout a period in which thecomputer program is present in the main memory 13 by periodicalverification of the computer program performed by the informationprocessing device 1.

Preferred embodiments of the present invention have been describedabove; however, the present invention is not limited to the scope of theabovementioned embodiments. Various modifications or improvements can bemade to the above embodiments. Embodiments with such modifications orimprovements can also be included in the scope of the present invention,as disclosed in the claims. For example, the present invention is alsoapplicable to: an ATM (automatic teller machine); an automated dispenserof valuable papers such as railway ticket, commuter pass, air tickets,phone card and the like; an automated voucher terminal for sales voucherand the like; an automated legal document terminal for residencecertification and the like.

The information processing device of the present invention for verifyingprograms can verify computer programs at a startup thereof from theinitial state and during operation of the information processing deviceat predetermined timing, by using an operating system performing dynamicmemory allocation. The abovementioned arrangement allows for: detectionof damage, tampering or the like of the computer program on theoperating system performing dynamic memory allocation; continuation ofperiodical verification for damage, tampering or the like of thecomputer program while present in the main memory; and assurance thatthe program is not damaged, tampered with or the like throughout aperiod in which the program is present on the main memory.

What is claimed is:
 1. An apparatus for processing information,comprising: a memory device; and a controller, wherein the controller isconfigured to: access a memory area in the memory device storinginformation related to a location of computer program data; calculate afirst inspection code, a value representative of the contents of thememory device where the computer program lies, using contents of saidmemory area; store said first inspection code; upon occurrence of apredetermined condition, access said memory area in the memory devicestoring said information related to the location of computer programdata; calculate a second inspection code, a value representative of thecontents of the memory device where the computer program lies, usingcontents of said memory area accessed upon occurrence of saidpredetermined condition; store said second inspection code; compare thestored first inspection code and the stored second inspection code; ifthe second inspection code does not agree with the first inspectioncode, output an error signal indicating inconsistency between the firstinspection code and the second inspection code; and if the secondinspection code agrees with the first inspection code, performverification of the computer program.
 2. The apparatus according toclaim 1, wherein a verification program executed by the controllerdetermines whether the second inspection code agrees with the firstinspection code.
 3. The apparatus according to claim 1, wherein thecontroller executes a verification program that restricts the operationof the computer program.
 4. The apparatus according to claim 1, whereinthe controller executes a verification program that restricts theoperation of the apparatus for processing information.
 5. The apparatusaccording to claim 1, wherein a Cyclic Redundancy Check is used for thefirst inspection code and the second inspection code.
 6. The apparatusaccording to claim 1, wherein the controller determines thepredetermined timing with a verification program that uses a timingsignal generated independently of the computer program to be verified.7. The apparatus according to claim 1, wherein the apparatus operates ina gaming machine that includes a game controller for controlling a gamewith a gaming program and a display device for displaying informationrelated to the game, and the computer program verified by the apparatusis the gaming program.
 8. The apparatus according to claim 2, furthercomprising a real-time clock circuit, wherein the real-time circuitoperates asynchronously to the operation of the verification program andoutputs time information.
 9. The apparatus according to claim 8, furthercomprising a power unit and the real-time clock circuit includesbattery, wherein the battery supplies power to continue operation if thepower unit operation is suspended.
 10. The apparatus according to claim9, wherein the verification program is in a standby mode awaiting aninterruption of the power unit.